For a while I noticed all the scam links my grandmother was getting were from ‘.top’ domains. I fully blocked it at the DNS level. Her DNS settings also block all newly registered sites for 90 days. She hasn’t ever had issues with it. But these have actively prevented her from clicking on scam links multiple times.

Facebook, google, and all the popular sites are all older than 90 days, on popular well known TLDs. My grandmother doesn’t seek out new trendy sites.

It was definitely something I considered when buying a new domain. I sorted by price, and then immediately ignored all the cheapest domains that were ~$1 because I’ve seen them being used for scams. They may be cheap but good luck using them.

You can also request Google to index your site on GSC as well.

You should probably add your websites to GSC.

And yes, you probably should, if only to pre-register your ownership thereof if google ever decides to nuke you from orbit

Google's way of tying real identifies of people to domains, without making it explicit.

Basically, your domain will be weirdly treated by a bunch of entities, none the less Google themselves, if you don't add your domain there (or some other Google property).

Especially with less common TLDs, like .online, they really want to be able to tie it to some identity, so unless you add it there, eventually your domain ends up on some sort of blacklist, in the case of the author it seems they used the "Google Safe Browsing" blacklist to get the author to involve Google somehow.

But if you do - you would get some notifications from Google about that website/domain.

I've only ever seen emails of the "There's an increase in 4xx/5xx errors on site/page(s)"

https://tldrisk.com/beyond-basics/reclassification/

> This basically makes the entire TLD unviable for serious use.

It doesn't just make the TLD in question unusable. I think it makes most of the new gTLDs unusable. Registries can enact policies and systems like this, regardless of the detriment to registrants, due to a lack of oversight and registrant consideration by ICANN. That creates uncertainty and makes it pragmatic for registrants to simply choose the gTLDs with lots of history and precedence; .com, .org, etc..

The only two TLDs I'd personally rely on are .com (gTLD) and .ca (ccTLD).

If you plan on building a legit site, do not use any of these cheap TLDs.

So, might as well to block entire TLDs and never buy a domain under those TLDs

So yes, this appears to be a TLD- (or at least registry-) specific issue.

I use my older, much longer domain for email and identity (it used to be #3 on SERP for "Sid"). This one is just for giggles so I can blog in peace without affecting the main one.

Free is good, but sometimes it's not.

In the past when this happens I usually reset the password and change the email to some anon throwaway but I can't do that without Raymonds DOB (don't quote me on that, been a while since I tried).

Was called webmastertools before.

The problem is the vanity domain registrar Radix using that as a reason to _put the whole domain on hold, including all subdomains, email entries etc._

This means:

- no way to fix accidental wrong "safe search" blacklisting

- if it was your main domain no mails with all the things it entails

- no way to redirect API servers, apps etc. to a different domain. In general it's not just the website which it's down it's all app, APIs, or anything you had on that domain

Google Safe search is meant to help keep chrome users safe from phishing etc. it is fundamentally not designed to be a Authority Institute which can unilaterally dictate which domains are no longer usable at all.

Like basically what Radix did was a full domain take down of the kind you normally need a judge order for... cause by a safe browsing helper service misfiring. That is is RALLY bad, and they refuse to fix their mistake, too.

You normally don't have _that_ level of fundamentally broken internal processes absurdity with the more reputable TLD operators (which doesn't mean you don't have that in edge cases, but this isn't an edge case this is there standard policy).

https://prezkennedy.com/2026/01/15/the-free-domain-trap-the-...

> Freenom’s terms of service allowed them to “cancel” a free domain at any time without warning. Users reported for years that as soon as their free site started getting significant traffic (and becoming valuable), Freenom would reclaim the domain and fill it with ads, effectively hijacking the user’s hard work.

Also, some TLDs directly speculate on having very low prices for the first year or two, then 10x it on year 2 or 3.

Also, go figure Namecheap works with these morons.

Sorry, can’t buy a frame.work laptop because that’s a “Malicious TLD”, according to the folks at ZScaler.

OP says:

> no gore or violence or anything of that sort

That’s not even the right criteria. OP is confused about Google Safe Browsing vs Safe Search.

I suspect there is something the author is not telling us.

I got hit by this from google.

1. Gmail added requirement for 2FA on my primary email address. Since I had no phone number on file, it instead used my recovery email address. Thankfully, I still had the password for my recovery email address, and could continue to (2).

2. Gmail added requirement for 2FA on my recovery email address. Since I had no phone number on file, it instead used by recovery's recovery email address. Thankfully, I still had the password for my recovery's recovery email address, and could continue to (3).

3. SBC Communications no longer exists, as it merged with AT&T in 2005. Email addresses at `sbcglobal.net` were maintained up until around 2021-ish, when they started purging any mailboxes that had been idle for more than 12 months.

Fundamentally, this was google's fault for misusing a recovery email for 2FA. Unfortunately, the only way to fix it would be to contact AT&T, asking them to pretty please update the email settings for somebody who hadn't been a paying customer for two decades.

On the flip side of the coin I cannot get a site removed that is a blatant rip off of one of our websites being actively used for invoice redirection fraud.

I constantly remove it whenever Gmail sends me the notification.

I can't help but think there is some method for the other person to steal my Gmail account if I never remove my email as their backup.

One of the requests was for a business card ... I haven't had a business card made with my name on it in 20 years.

The amazing thing is that I bet scammers working this system can get through this faster than I can.

At this point they should just give me control because no way would some scammer fail this much at this ungodly process.

The external people treating these lists as absolute truths and automatically taking domains down are the ones at fault here. Google didn't grab power, Radix gave it to them without asking.

I do wish there was a requirement for some sort of "no" button that would stop sending sign up requests entirely.

I wonder if finding people responsible and spamming then with their own service emails would make the team care enough to fix this. But of course that's mostly dubious, probably illegal, and shouldn't be a responsibility of some vigilante hacker

It is critical in the sense that if you want to appeal the decision in a case like this, it will go much better if you pre-verified that you own the domain.

(I don't think it has much effect on google search placement at all)

Or don't want to pay a $2k ransom to a name squatter... For some businesses that is a rounding error (saas, other high volume high margin stuff), but for small businesses like restaurants or event planners, spending that much on a domain name would be foolish.

I've also never added domains to Google Search Console and haven't had blacklisting issue other than with a free .ml (another "cursed" TLD) site that was by default assumed to be spam by Facebook Messenger.

It's unfortunate that this category exists, but I don't share the OP's .com purism; I've used a mix of TLDs and even the cheap ones like .fyi and .cc haven't come under extra scrutiny as far as I can tell.

Relevant xkcd:

https://xkcd.com/1279/

Yeah, I get the same regularly.

Similar issues to .io happened with the popularity of .tv domains, which again is a ccTLD. The government of Tuvalu sought to increase income from sales of their ccTLD and prices went up. Tuvalu is such a small nation .tv domain sales ended up making a significant part of the State's income.

Another fun example of the mess you can get into with ccTLDs was when the UK left the EU. All UK registered .eu domain names were cancelled following the UK exit from the bloc.

gTLDs generally have some degree of insulation from State-level politics. ccTLDs permit the nation or territory they represent much more say in how they are priced and who they are sold to.

.store, .online, .tech, .site, .fun, .pw, .host, .press, .space, .uno, .website

not sure about other registrars

I don't think that they could ban emails from .de for what its worth.

Personally I like .in domains too. Makes more sense to me because I am well Indian and we all use it quite frequently/sort of intutitively know fwiw but if I just want a domain for email purposes for cheap. Honestly, .de could be good.

https://tld-list.com/ [Try seeing the cheapest renewal rate with top level TLD and ignore .storage which costs 465$ for registration smh]

Some other domains like .top exist as well in this league imo but .de is one of the best if you can find a relevant domain in .de

That's not me saying there shouldn't be a warning and a recourse, but the time-to-profit for domain abuse is really short so anti-abuse actions have to be quick.

There are many of reports of the same happening to other sites, some of the top ones (you can find many more by searching HN for "google safe browsing"):

- https://news.ycombinator.com/item?id=33526893

- https://news.ycombinator.com/item?id=25802366

- https://news.ycombinator.com/item?id=45675015

Etc.

Once it became clear that they'd shifted from "crappy customer service" to (IMNSHO) "we fetishize the complete absence of customer service" it became dangerous to depend on them. Really, what's the worst that could happen? Maybe someone spams emojis in live chat on a game livestream at the request of the streamer on a personal account, it gets banned for abuse, Google recognizes that it's linked to other services and locks down everything? But that's so unrealistic I'm sure it could never happen.

It's not like they also have the ability to identify links between multiple accounts accessed by the same person and have automated processes that might stomp the associated accounts as well. Why, that would probably require something like allowing poorly-understood automated agents to take actions on their own!

We both get hit with "OG Hell," where people are constantly entering our emails. I think most time, it is accidental (maybe they meant "XXX1234", and forgot the number).

What makes it worse, is that Apple aliases mac.com, icloud.com, and me.com together, and there's no way to turn off one of the aliases.

mac.com is really in retirement. No one sets up new ones, but the miscreants typo icloud.com, which gets routed to me.

I have a rule, where I shitcan every mail to icloud.com, but I wish I could simply turn off the forwarder.

I get TONS of emails of people trying to join services that use my address as a "fake email".

Because keeping Google happy or at least not bothered is an existential priority for registrars

Considering that getting a domain is a normal part of business these days, this kind of thing should be illegal. Not to mention, why does Google have any say in this?

Which likely is slow without a poke it's reasonable to base the decision on whats available.

That's just how reputation works.

I hope it's because I have small simple email and not because they want to steal it.

Or yours, for not caring about 2FA. It's been a common practice for many years, and strongly recommended by most identity services, as well as OWASP and NIST recommendations.

What would you do in Google's place?

Malicious in-attention then, by the profit driven org? :)

That doesn't prevent a huge majority of them from sending you notification emails all the time even if you never verify.

https://news.ycombinator.com/item?id=40195410

I know someone with a .org domain, and even they have a ton of issues with false flags on their emails due to not coming from a big email provider. They’ve been blacklisted a couple times and regularly get flagged as spam. I’m surprised he hasn’t given up after dealing with this stuff for 25 years.

These new TLDs, I thought, were supposed to open up more options for regular people to get a domain that is semi-decent. Instead they’re essentially useless. Some of the prices are also still insane, due to assumed “premium” status or domain squatters.

There has to be a better way to police this stuff.

And Google has the right to publish a list, there should be more lists not less. But Google was at fault for not correcting their blacklist. Until the article appeared on Hacker News, this was not 0% on Google. A small, correctable mistake, but they deserved a tiny bit of blame.

What is to stop everyone from doing this blacklisting?

I run a few websites that accept an email address (all noncommercial, I have no interest in spamming anyone). One of them is the "contact me" feature on my personal website. To prevent spam, I had people just put in their email address and it'll automatically email them my email address. This works perfectly to this day, haven't got a single spam email on any of the addresses I've handed out, but the ratio of emails sent out to received is probably 50 to 1. Why would anyone put an email address in there if not to contact me? I've been wondering if it's used by mail bombing services, idk if that's a thing but I know of the concept of annoying someone by signing them up for a hundred newsletters. My site doesn't send recurring emails, though, and it doesn't allow putting more than two email addresses per month in, per /24 IPv4 block (and even more strict on v6). It's useless for mail bombing services but the (presumed) bots keep submitting a steady rate of maybe 2 new email addresses per day, each time from a new ISP in a random country. No email addresses is ever submitted twice. No rhyme or reason to it. If anyone can make sense of this, that might help me in stopping the abuse

Scam websites will use any TLD in my experience. Based on the ones that made it to my Google search results, .it and .info are the TLDs I should be blocking. When I search for "free roblox cash", most websites are .com. "Free robux" also brings forth a few .ca websites. "Free steam gift card" leads to .org and .com.

I use them when I need a random domain.

In my opinion, .de , .ovh , .uk or personally my country's .in (yes OVH has their own TLD that you can use)

.de is one of the more interesting domains to me personally even though I am not german.

On the other hand... Occasionally someone gets my info because some careless person entered my email address into their system incorrectly. You'd think this problem would be solved by moving to a custom domain, but I still once in a while find someone completely ignore what I put into the form and sign me up as firstnamelastname@gmail.com.

It said that https://aid.de was available. I was out of the moon happy (silly me) thinking that its such a good domain or something.

Then I saw aid.de available in namecheap for around 2$ ish but for some reason I took a bath and hten later it showed 10$ ish.

Okay, I then went to spaceship and it also showed me aid.de available. I then took my card and signed up

Well the transaction took place but got refunded. It said that there was an issue or something and got insta refunded

Silly me, thought that the payment had issues and decided to do payment again. This time though my refund had to wait 10 days to come back because of international laws.

Now I had only very little amount stuck btu I can see someone losing substantial money/having it stuck

I contacted their support and they told me that both namecheap/spaceship have a bug where some domains show available when they aren't.

I haven't checked but since the amount was like 1-2$ now but this whole thing really soured my relationship with namecheap/spaceship.

For context, before this, I also had a hate/love relationship with namecheap because once I bought a domain with them using crypto and also bought their vpn which was like 20 cents basically

It had auto renewal on and my domain costed 1$ but crypto payment requires 10$ minimum and the VPN charged me money from that.

Luckily I had spotted before the 2nd month and to be honest, like only 1 month 10 days or something and I urged the namecheap company to do what's right (in that moment because a lapse of judgement had been made from my side/error and I hoped that namecheap could realize it and do "right" instead given that the cost was only around 10$ fwiw)

After waiting for many days, they finally did what's right and gave me my credits back as a one off thing and I then turned off their domains.

I also used a crypto swap thing to convert b/w usdc and btc (what namecheap accepts) and I had an issue of doing two times payment after the timeperiod of btc payment (15 mins) but they also fixed that issue by adding the credits manually when I raised the issue.

Their customer support at times can be good but the platform itself is a little shady in my opinion. For the VPN thing if I remember correctly, the auto renew was written with grey and I genuinely didn't read it without my specs.

I am gonna keep my domain with namecheap that I have and if I get deals from namecheap/spaceship then use them, but for individual domains without deals, hell no.

I know that many people don't like the centralized nature of cloudflare but cloudflare is a good thing for domains :/

I personally just buy domains from wherever's there's a deal right now as some domains I have are some that I keep for only 1 year or similar.

To be honest, if I want to pick a domain-thing, I'd rather pick the one which is the cheapest or if not, then the one which only sells domains

I just looked at porkbun and they only sell domain related things and at best mail (they also have a deal with proton which can be interesting to many)

Porkbun is also cheap so I think I would recommend porkbun/cloudflare.

I haven't decided if I will transfer my domains from namecheap or not but their customer service is nice but the same can't be said for their service sometimes in my opinion.

It’s not libel. Defamation requires a false statement of fact. Marking a website as “unsafe” is an opinion.

Libel suits can be financially catastrophic, so even a tiny false positive rate could present risk that disincentivizes producing such software at all.

And a threat detection mechanism that has a 0.0% false positive rate is conservative to the point of being nearly useless.

It’s not libel. Defamation requires a false statement of fact. Marking a website as “unsafe” is an opinion.

If Google wanted to lock me out of my account for my own good until I enabled 2FA, fine. But as GP stated, they abused the recovery email addresses to force 2FA on people and ended up locking some people out of their accounts.

I dont care if their pre-LLM ai says "thingy bad". They are responsible for the scripts or black boxes they control. I dont care if they dont give a reason.

Claiming bad/malicious/etc site is 100% libel. And doubly so, anybody who has been forced to agree to a ToS with binding arbitration should have it removed for libel.

if you make an app it is not your customers responsibility to secure it with additional actions from their side..if it is, you need to make it mandatory and guide them step by step.

you cant after a while enable some toggle.and tell people to fuck off and its the fault of their ignorance to not know some technical details.

most consumers of these services dont know shit about IT and they should not be burdened with it..any product that demands it is either only meant for tech savy people or more likely lazily and badly engineered by money hungry people who see opportunity to make more money in user's issues.

Google is one of the rare places I actually see positive value to 2FA. Compare with say banks, where it being demanded actually decreases my security. But regardless, it should not be forced.

This probably doesn't comply with the relevant recommendations, but cutting a user of from their email is worse in my opinion.

If all it takes to be taken from the blacklist was to temporarily delete the NS record - the list would be useless against malware.

It doesn't really matter that it's Google. It could have been Microsoft, or PAN, or McAfee or some fly-by-night vendor. The problem was Radix taking the list as iron-clad truth and disabling the domain without any notification or way to resolve the issue.

When I first bought an .online, it was not cheap

At this point, NEVER buy any radix.website TLD domains.

I am seeing pinggy had the same issue with their .online domain and this actually definitely caused hurt to their business https://news.ycombinator.com/item?id=40195410 (I saw this post from their comment in here referencing it)

What Radix does has no impact on Google, and I don't see how Google would be incentivized to pressure Radix. So I don't see how to make the leap blaming Google for Radix's incompetence. Yes, Google should recognize the risk of this happening, but they'd have to balance that against the rewards (or at least what they consider rewards)

Spyware filters used to boast about how many domains they filter out because they wanted you to buy their filters instead of someone else's. By the time they hit a false positive, they've already sold a year's subscription to that customer.

The incentives are different.

Aren't they only affordable for the first year though?

Considering .top domains have cheap registration and renewal. To me, it does feel as if .top are very speculative. I liked to search random things in tld-list to find unique-word.<any tld> so like random.top but my past experience says that .top domains are bought quite a lot/very speculative.

If possible I like .de but I think that .top are fine too. Both are great for what its worth.

> It however is falsely maligned by those with small brains who stereotype things.

I didn't know about this, can you please elaborate more about it?

In other words, if you can't deal with the false positives in a timely manner. You SHOULD be liable for the damages.

I can't build a budget car put together in an unsafe manner. Then complain I can't compete due to all the peoples cars crashing and blowing up and suing me.

That is more than an opinion. Chrome has a monopoly and should act accordingly. Blocking entry to a website should be a last resort, not just because someone didn't add their website to the whitelist.

The problem is that these gatekeepers of the internet respond to false statements of facts/opinions by so called professionals.

I had cloudflare mark a worker as phishing because a AI "security company" thought my 301 redirect to their clients website was somehow malicious. (url redirects are normal affiliate things)

If the professionals don't understand the difference and cloudflare and google blindly block things, this is scary.

I get that's mostly what corporate lawyers argue about, but it's functionally dishonest in this case.

Same with if they become aware of defamation and fail to retract and make a statement. But newspapers will generally also thoroughly investigate themselves to make sure what they are publishing is true.

If the opinion is meant to be just another opinion, then it shouldn't cause any blacklisting of any sorts anywhere.

Fuck Google.

This is absolutely libel. They put a big fucking red banner on top of my site, telling the world that it's unsafe, using all the authority they have as one of the largest tech companies in the world.

In my case - it was a jellyfin instance I'd stood up to host family videos of my kids for my parents.

It was not compromised, and showed only a login page. I reported it as a false flag repeatedly, for weeks, with Google doing jack fucking shit.

Only after signing up in their search console and registering the site did the warning disappear.

They are abusively forcing people into their products. Fuck Google.

In case it wasn't entirely clear - Google can get fucked. Fuck Google.

No, it's not.

You're welcome to cite case law if you want to insist. Otherwise, unsafe (in the context of infosec) has a definition of likely or able to cause harm or malfunction. Something that is provable or falsifiable with evidence.

No it isn't. https://www.law.cornell.edu/wex/defamation

Please, use words correctly.

Just include "not me!" In the verification email, dam it

They may well be looking for targets.

>You send it to johnsmith@gmail.com

>You receive a new message, it says "Hey, can you please stop using my email address?"

>You're johnsmith@gmail.com, you only know that's the address that's being used

PD: I know that if he resets the password he can get the other address, but this scenario was funny in my head.

They certainly did a proper thing forcing people to use 2FA AFTER multiple emails over the years recommending to turn it on, and warning that they will enforce it, which they did.

Yes, some banks implement it silly, like SVB requiring biometric login in order to scan one-time QR 2FA code from their app (biometric login is less secure), but you don't have to use the QR code, can use regular 2FA without biometrics.

But even then having 2FA is 42 times better than not having it.

- They make almost all their money on advertising

- They have deep ties to the US intelligence agencies (To the point that a Google employee managed the appointment calendar for our Secretary of State a few years ago!)

So, how would these incentives apply to their Internet blacklist?

- If you are parking lots of Google ad spam, they are taking a cut of your revenue, so they have an incentive to take you off the list (evidence and testimony from the antitrust trial documented ongoing fraud in every layer of Google's vertical ad monopoly)

- If you are hosting something the intelligence agencies dislike / are neutral to / like, that'll impact your presence on the list.

When pointing out that legal parallels exist, to enact a solution, must I envision that solution?

There is also the headache of PR issues when they get a false NEGATIVE. “Google didn’t protect grandma from this scam website!”

Those with small brains who stereotype things often claim that .top is used only for scams, and that if a site is using .top, it means they're a scam site. In making this foolish assertion, they confuse P(A|B) with P(B|A). To continue, see the ChatGPT share 699f272e-475c-8012-ae9a-a89bd136fd01

> it does feel as if .top are very speculative

Sure, they can be, but again it's no reason to stereotype. They can be or become whatever they want to be.

“We’ll be right over.”

That's why Google sent them multiple emails explaining what it is and recommending to turn it on. What else could Google do?

Not jsmith, but kstrauser. Not Gmail, but Yahoo. And I still get banking docs, and HOA meeting minutes, and birthday party invitations, and Facebook logins, and other bizarre random stuff.

I have so many questions. I’ve typoed my address before and had to correct it. That’s understandable. But to wholly invent one and say, yep, that looks good even though I’ve never used it before, I’m sure it’ll be fine! I just don’t get it.

I've had this happen several times... There's a lawyer I used for a dispute a few years ago, and they now have another "First Last" name that matches mine, and he keeps emailing me... my reply, "Wrong Michael, again..."

It's kind of annoying all around... I need to get off my butt and get a few things shifted, then just start relying on my own MTA again, instead of forwarding *@mydomain to my gmail to. I'll still wildcard the domain, but to a single mailbox on my own mta.

I'm not sure how bad the spam might get though... I've had a test account on my mta for a couple years and it hasn't really recived any... my wildcard accounts either... I use the wildcard so I can do things like walmart@mydomain, to see if/where an email address is sold/leaked from regarding spam.

Step 2: Alter filters to mark newly-registered domains and low-traffic websites as "potentially harmful".

Step 3: Charge a lot of money for "business verification" - which gives them a fancy badge somewhere and incidentally makes their website trustworthy in the eyes of your filter.

Step 4: Profit!

The Big Tech cartel has been doing this pretty successfully with email (see the weekly "Don't self-host your email" posts), why should we assume they are doing anything different with browser-based website blocking?

I had my main family domain put on Google's safe browsing block list and it has a massive impact. No one can visit the site. I think apps using system browser runtimes (ie: mobile) may stop working. I've seen reports that it can impact email deliver-ability. And, now, we see that it can get your domain put on serverHold so the problem becomes impossible to rectify.

Google should have to pay for the damage. In my case, it was about 4h of work to figure out what was going on and how to fix it, so not much, but I've seen small businesses that rely on their primary domain to drive most of their sales via web and email. In those cases, having your domain placed on server hold because of Google's false statements can have a serious, detrimental financial effect.

For clarity I'm not agreeing or disagreeing, but what means sense to the layperson (including experts in a particular field) is sometimes at odds with what the law says.

In other countries local TLDs are of course normal (e.g. .it for Italy, .za for South Africa, .cn for China...) and not only used for scam links.

Scalable systems need to use heuristics to catch threats. Needing concrete evidence in every case means that an enormously higher amount of malicious resources will not be flagged.

There is a policy argument as to the right balance of concerns here. But there is a clear trade-off to make.

I agree with this! The registrar should not have triggered a suspension because of this. They're not obligated to, and the two processes should be decoupled.

“unsafe” is a term that is both broader and more vague, so I would consider it opinion unless backed up by appropriate facts (like “contains CSAM”, “contains malware”, and so forth).

What you can't do is imply non-public knowledge, aka "I heard from my cousin who works in law enforcement that Kyle murdered a hobo when he was 12 but the records were sealed", or state specific facts that can be proven true or false: "Kyle murdered a hobo on September 11, 2018 out back of the 7-11 in Gainesville, FL"

The standard for libel/slander is much, much higher than people think. It's extremely difficult to meet them, and for public figures, it's almost impossible.

> a plaintiff must show four things: 1) a false statement purporting to be fact; 2) publication or communication of that statement to a third person; 3) fault amounting to at least negligence; and 4) damages, or some harm caused to the reputation of the person or entity who is the subject of the statement.

They falsely marked the site unsafe[1] on a published list[2], the results weren't checked and couldn't be appealed[3] and OPs site was taken down[4].

Some of the emails are really unfortunate stuff. "Your account was added as a backup address." - Then inevitably, a few weeks later, dozens of password reset emails. Sorry bud. I've received pay stubs. Orders and invoices. I get phone bills every month for someone in India. Its chaos.

Early on I'd sometimes reply to these random emails telling people they've got the wrong address. The most astonishing reply I ever got was from HSBC bank telling me I needed to come into the branch to change my email address. Over the course of a week, I explained about 3 times that that was impossible. That I live in Australia. That I'm not their customer, and its not my account. Eventually they told me they were disabling online banking on my account. Now I've given up replying at all.

Send emails into that pit of PII misery if you want. I don't read them.

Indeed. I was going to register an account somewhere the other day, and the signup form had a list of acceptable email domains. Gmail, Protonmail, Outlook, Yahoo, Icloud... a few others. It's not the first time that's happened to me. Sad.

EDIT: Didn't even include Fastmail, who's pretty big after all. They host MX for my domain, so I could have "circumvented" it that way with their disposable address feature, but nope.

that whiny bullshit about somebody elses website? you dont have to rely on a website or app. either you need their monopoly because you cant do it yourself, or you have options.... in both cases the whining is not needed

There is no incentive for adding false positives to lists of malicious websites.

But my point is that any knock on effects like domain suspension, email deliver-ability, etc. stem from 3rd parties misusing the safe browsing list outside the scope of safe browsing.

I don't see how Google can be blamed for other companies erroneously treating the safe browsing list as a source of truth for generally malicious domains

Giving everyone a fair trial just doesn't scale. It costs too much.

"Your Honor, we banned this person's website because his web page contained the word 'bitcoin' more than 5 times" will not hold up.

"Your Honor, we banned this person's website because it contains a bitcoin miner script. See, here is the script, and it matches the hash value found in these other attacks" hopefully holds up.

Except when it isn't. CSAM may be easier to define and identify than pornography, but there still exists material that treads a moral grey area.

No.

The source should be more careful. It's the equivalent of a renowned newspaper printing warning a restaurant being unsafe to visit. Should the customers' willingness to visit be magically decoupled from this opinion?

I reported a falsely flagged site repeatedly for weeks with absolutely no action from them.

Mozilla and Microsoft both did actually remove the warnings after the reports (Edge and Firefox stopped displaying the warning). Google did not. Google strong armed me into registering for google products, like a fucking bastard of a company.

This was the moment I went from "I don't love google anymore" to "Google can get fucked".

I wish them bankruptcy and every damn legal consequence that is possible to enforce.

That's ... not quite true. I wouldn't go that far.

Later, after OP told the user and they failed to change their address, OP logged into the site and changed their password, putting an end to the spam they were receiving from the user’s actions.

I don’t have an ethical qualm with this. He didn’t want to sign up for the service. Someone else signed his email address up for it. Legally, I can’t imagine that being prosecutable.

Chrome is big enough that a website owner can't afford a false positive on their malware list, just like they can't afford to have all their email end up in spam for all Gmail users.

Due to their near-monopoly Google also has no incentive to avoid adding false positives to their blocklist - provided they don't accidentally block high-profile targets. And if a CxO is screaming over your shoulder that your website has been blocked, arguments about "false positives" aren't very compelling: they'll just demand you move off the "shitty basement provider" and switch to "proper hosting, like the Google Cloud"...

That's fair and I agree. My opinion is that both should be liable in a case like this. If I had to attribute it, my starting point would be that Google is liable for the loss of website traffic and the registry is liable for the loss of email and all other lost services due to the domain suspension.

It spirals though because, like you pointed out, no one forced (ex:) Mozilla or Apple to adopt the blacklist. They did that voluntarily, so they should be responsible for their share. That's why nothing ever gets fixed. It's broken, but there's so much potential for finger pointing that no one gets pinned down and held responsible.

The answer is always the same IMO. Break up big tech companies into a million little pieces.

Google should not have known that someone would misuse their block list to block domains. But now that someone is misusing their block list to block domains, if someone brings it to their attention, the next time this happens, they will have known it.

I am not a lawyer, I am not your lawyer, and this is not legal advice.

I'm not saying they should "ignore" reports of abuse but treat them as they are -- reports. They can then perform their own independent investigation.

That may well have happened here. I suspect the author isn't telling us something.

1A rights are construed really broadly. The courts don't do the 'he wasn't legally convicted therefore it's illegal to call him one' thing.

Opinions and facts in a legal context usually comes down to who is saying what. Someone personally says "this soup is bad" on a review site = opinion. A news site plastering it on their front page = fact.

A person saying something as an individual is usually considered an opinion. A company doesn't have that same protection.

Consider that the “imposter” starts uploading child porn or something, and it’s on an account registered to your address. I think it’s perfectly A-OK to tell the service that it’s not me using the thing and I want them to close the account someone created in my name.

I got divorced a decade ago, and every well-wishing person in my life was strongly urging me to do things which were shockingly counter-productive / dangerous / wrong, based on their confident understanding (assumption, really) of the law which was completely and dangerously inaccurate.

Hacker News audience is global. People start accounts for various purposes. Yet people still freely share the notion that logging in to some unknown website run by an unknown company from a hard to spell country and then touching things is universally safe.

I miss the old "IANAL" tag which at least provided basic warning and self-awareness :-).

The First Amendment doesn't protect the speaker against all forms of defamation (though it does put some barriers up that make it harder to win in some circumstances). If it did, defamation as a cause of action wouldn't exist at all.

As a practical matter, though, this is largely theoretical. Once you've been through the rigamarole of arrest, prosecution, and trial, even if you're found not guilty of the crimes committed, the reputational damage is just too widespread. You're not going to go after the defamers: there are just too many, and if you tried, there would be a fair question as to whether you have any positive reputation left to injure. Your life is pretty much ruined. It's a pretty terrible situation for the wrongly accused.

Whom are you quoting here? A court opinion?

In the US, it really doesn't matter who says it, the only thing that matters is who it's being said about.

If you are a "public figure" -- which is a much broader category in 1A law than you think -- then in order to prove defamation, you have to prove the thing was false _and_ that the person saying it knew it was false at the time. Not that they were mistaken, not that they were careless, not that they knew later, they deliberately lied and knew they lied as they said it.

If your next question is "how do you prove what someone was thinking", then yes. That is the reason it's nearly impossible.

"It's OK: you can curse on the Internet." "Not when you're typing from Iran!" "Well, OK, if you're in Iran, don't take this American's advice for dealing with a government."

Part of our obligation as a reader is to consider what others are saying in the context of our own circumstances and experiences before trying to apply it. If you don't, and things end badly, that's on you.

But I stand on my words: I think it's ethically OK. You may not. That's alright. We're not required to have the same ethics or morals. And I don't think that's prosecutable. That's my opinion, based on my circumstances, not a statement of fact that applies in all jurisdictions around the world.

Above all else, I got tired of giving disclaimers about every single thing I say lest someone jump in with a "gotcha! scenario" I hadn't considered because it's not relevant to the context of the discussion.

Opinions (Protected) vs Facts (Not Protected)

Defamation cases where individuals say something are usually considered opinions and companies are usually considered facts in the eyes of the courts. I say "Usually"

Defamation also DOES NOT require intent, but it requires a minimum level of fault (negligence)

Google saying something is unsafe in the web search or browser would not be considered an opinion because of their position of authority. It would not even be a debate since Google has already said they make decisions based on facts and data presented to them.

The only question is are they negligent in their assessment or response to a false report. And what would be the damages. In the case of a phishing report that is false courts would already consider it defamation per se (damages presumed)

Does it? So I can say, "I'm not your lawyer, but I'm happy to go ahead and give you specific legal advice on your case." and I can't be accused of illegally practicing law? I was under the impression that this could still get you into hot water. But not being your lawyer, due to the fact that I am not a lawyer at all, I don't know if it is true or not.

Everything the Supreme Court rules is an "opinion." And they're the ultimate arbiter of legal questions in the U.S.

Whether a statement is a fact and whether the person who said it is considered an "authority" or not are independent concerns.

And we are also 100% talking about public figures. "Public figures" include companies and it's a critical part of 1A since Times v Sullivan.

Google is a US company and has 1A rights. That's how it works. The rest of what you said is nonsense and is your idea of how it should work, but has nothing to do with how it actually works.

As with all things, who are you going to get in trouble with? And what's so magical about legal practice as opposed to, say, giving shitty medical advice or telling someone how to build porch? Asking genuinely. No one falls all over themselves to say "I am not a doctor, but...", even though their next words could kill someone. The implication is that they don't have formal training but they saw something on Facebook that you should try. What happens next is on you, not on them.